MEP Voss (EPP) Draft Opinion European Data Protection Directive for JURI

EUROPEAN PARLIAMENT 2009 - 2014

Committee on Legal Affairs

2012/0010(COD)

4.1.2013

DRAFT OPINION

of the Committee on Legal Affairs

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a directive of the European Parliament and of the Council on protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (COM(2012)0010 – C7-0024/2012 – 2012/0010(COD))

Rapporteur: Axel Voss

PA\921963EN.doc PE502.007v01-00

EN United in diversity EN

PA_Legam

PE502.007v01-00 2/74 PA\921963EN.doc

EN

SHORT JUSTIFICATION

The EU is rightly seeking to equip itself with a comprehensive, coherent, modern, high-level framework for data protection, since the challenges facing data protection are numerous. They include globalisation, technological development, enhanced online activity, uses related to more and more criminal activities, and security concerns.

The relevant European rules (Article 16 TFEU and the recognition in Article 8 of the Charter of Fundamental Rights of the right to protection of personal data as an autonomous right) must therefore provide individual citizens with legal certainty and confidence in the behaviour of data controllers, and in particular of prosecution and enforcement authorities, since violations of data protection provisions can lead to serious risks for the fundamental rights and freedoms of individuals and the values of the Member States.

Consequently, the European Parliament has always taken the view that the fundamental rights to data protection and privacy include the protection of persons from possible surveillance and abuse of their data by the state itself. The Commission proposal for a directive on 'the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data' is consistent with this view, and the rapporteur essentially welcomes it.

Nevertheless, data protection in the field of criminal investigation and enforcement must be adapted to other considerations relating to the rule of law and deriving from the state monopoly on the use of force. Data protection legislation in relation to averting risk, establishing and safeguarding public security and investigating crimes and executing criminal penalties must match the tasks to be performed by the state and ensure that it is still able to perform these tasks effectively, in the interests of all its citizens.

Data protection legislation at European level is generally characterised by differing levels of competence. What used to be known as the first pillar is characterised by extremely far-reaching competence deriving from the internal market. What used to be known as the third pillar is defined by cooperation rather than communitisation. Thus Framework Decision 2008/977/JHA went furthest in setting minimum standards in this area.

It should also be borne in mind, in the field of police and judicial cooperation, that legal traditions have developed very differently in the EU Member States in the course of the centuries, and any alteration to well-established national structures and traditions in this sensitive area through European rules should therefore be introduced cautiously and gradually.

The situation regarding the scope of Article 16 TFEU in relation to European data protection law is also controversial and is yet to be clarified through case-law. This creates legal uncertainty which the rapporteur considers should be resolved through pragmatism:

The draft directive proposed by the Commission includes the exchange of data at domestic level within the scope of the directive, whereas Article 16(2) TFEU gives the EU competence

PA\921963EN.doc 3/74 PE502.007v01-00

EN

only within the scope of Union law. This does not include domestic processing of data in the police area (Article 87 TFEU).

A peculiarity of data protection is that it has horizontal effects and is liable to have an impact in areas that are not designated as falling within the unrestricted competence of the EU, thereby possibly breaching the subsidiarity principle.

In light of these considerations, the rapporteur takes the view that the directive should do no more than set minimum standards. In practice, this renders obsolete the question of 'only cross-border' or 'also domestic' data protection, and a higher level of data protection may in any case be maintained.

However, in order to preserve the balance with data protection as a fundamental right, the directive must at the same time strengthen and give a clear definition of individual rights. The principles of transparency and scrutiny must be enshrined, but they should not run counter to the purpose of averting risks and prosecuting crimes.

The rapporteur considers the following amendments necessary in order to safeguard this balance between preserving the state monopoly on the use of force and guaranteeing public order and security and the physical integrity of the individual, on the one hand, and the right to data protection on the other:

Chapter I

- Averting risks is included in the scope (Article 1).

- The Member States are clearly permitted to set higher standards (Article 1). The objective is not harmonisation but setting minimum standards.

- The scope is expanded to include the Union institutions, bodies, offices and agencies (Article 2).

Chapter II

- The text of the key section on 'principles of data processing' is brought into line with the General Data Protection Regulation. The package approach means that these principles should tally (Article 4).

- Article 5 is deleted, since it represents an increase in bureaucracy and costs for the Member States and the legal effects have not been analysed.

- Purpose limitation in respect of the processing of data is a key principle of data protection. Articles 6 and 7 have been thoroughly reworked and expanded on the basis of Framework Decision 2008/977/JHA (here: Article 8 (accuracy), Article 3 (purpose limitation) and Article 13 (purpose limitation in respect of data from other EU countries).

Chapter III

PE502.007v01-00 4/74 PA\921963EN.doc

EN

The amendments to Chapter III focus on the individual concern requirement and an actual individual request for stored information.

- The possibility to limit the right to information (Article 12) is restricted to individual cases on examination, thereby strengthening individual rights.

- The right to information at the time when the data are obtained without any request being made is cut back in favour of national rules.

- The right to erasure and rectification has been reworded and strengthened. At the same time, exceptions to the right to erasure have been introduced, such as the legal obligation to retain data.

Chapter IV

- Article 20 'Joint controllers' is deleted, since it lowers the standard of data protection. In the context of external cooperation, both controllers should remain jointly liable vis-à-vis the data subject.

- Article 23 'Documentation' has been tightened up in line with Article 10 of Framework Decision 2008/977/JHA. As a result, Article 24 'Keeping of records' is deleted.

- Article 27 'Security of processing' has been brought into line with the text of Article 22 of the Framework Decision.

- Prior consultation/privacy impact assessment is introduced in the shape of new Article 28a, which has been taken from Article 23 of Framework Decision 2008/977/JHA.

- 'Data breaches' are to be notified only to the supervisory authority and not to the data subject (Articles 28 and 29).

Chapter V

- Article 35b incorporates the provisions of Article 13 of the Framework Decision and lays down specific rules on the handling of data from other Member States.

- Article 36 has been reworded; it should be possible to transfer data to third countries in spite of a negative decision on the adequacy of protection, in a very limited number of individual cases and subject to strict conditions, in order to protect vital interests, e.g. where lives are at risk.

Chapter VIII

- The right to bring class actions in Article 50 is deleted. Any complaint should be based on individual concern and individual cases.

PA\921963EN.doc 5/74 PE502.007v01-00

EN

Delegated and implementing acts

- The Commission proposal has been reworked to ensure that uniform rules apply to the adoption of delegated und implementing acts and prevent any drift of competence. As with the planned amendments to the draft General Data Protection Regulation (COM (2012) 11), preference is given to delegated acts or decisions at national level.

Non-contractual liability

- It is possible that the Commission could take the wrong decision regarding the adequacy of data protection in a third country or an international organisation and that this could result in harm. Such cases should be mentioned in the directive.

AMENDMENTS

The Committee on Legal Affairs calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to incorporate the following amendments in its report:

Amendment 1Proposal for a directiveRecital 7

Text proposed by the Commission Amendment

(7) Ensuring a consistent and high level of protection of the personal data of individuals and facilitating the exchange of personal data between competent authorities of Members States is crucial in order to ensure effective judicial co-operation in criminal matters and police cooperation. To that aim, the level of protection of the rights and freedoms of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties must be equivalent in all Member States. Effective protection of personal data throughout the Union requires strengthening the rights of data

(7) Ensuring a consistent and high level of protection of the personal data of individuals and facilitating the exchange of personal data between competent authorities of Members States is crucial in order to ensure effective judicial co-operation in criminal matters and police cooperation. To that aim, minimum standards must be ensured in all Member States with regard to any processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

PE502.007v01-00 6/74 PA\921963EN.doc

EN

subjects and the obligations of those who process personal data, but also equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data in the Member States.

Or. de



(12) In order to ensure the same level of protection for individuals through legally enforceable rights throughout the Union and to prevent divergences hampering the exchange of personal data between competent authorities, the Directive should provide harmonised rules for the protection and the free movement of personal data in the areas of judicial co-operation in criminal matters and police co-operation.

(12) In order to ensure a minimum level of protection for individuals through legally enforceable rights throughout the Union and to prevent divergences hampering the exchange of personal data between competent authorities, the Directive should provide a minimum level of harmonisation concerning the protection and the free movement of personal data in the areas of judicial co-operation in criminal matters and police co-operation.

Or. de



(15) The protection of individuals should be technological neutral and not depend on the techniques used; otherwise this would create a serious risk of circumvention. The protection of individuals should apply to processing of personal data by automated means, as well as to manual processing if the data are contained or are intended to be contained in a filing system. Files or sets of files as well as their cover pages, which are not structured according to specific criteria,

(15) The protection of individuals should be technological neutral and not depend on the techniques used; otherwise this would create a serious risk of circumvention. The protection of individuals should apply to processing of personal data by automated means, as well as to manual processing if the data are contained or are intended to be contained in a filing system. Files or sets of files as well as their cover pages, which are not structured according to specific criteria,

PA\921963EN.doc 7/74 PE502.007v01-00

EN

should not fall within the scope of this Directive. This Directive should not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law, in particular concerning national security, or to data processed by the Union institutions, bodies, offices and agencies, such as Europol or Eurojust.

should not fall within the scope of this Directive. This Directive should not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law, in particular concerning national security.

Or. de



(16) The principles of protection should apply to any information concerning an identified or identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

(16) The principles of protection should apply to any information concerning an identified or identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person working together with the controller to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

Or. de



(23) It is inherent to the processing of personal data in the areas of judicial co-operation in criminal matters and police co-operation that personal data relating to different categories of data subjects are processed. Therefore a clear distinction

deleted

PE502.007v01-00 8/74 PA\921963EN.doc

EN

should as far as possible be made between personal data of different categories of data subjects such as suspects, persons convicted of a criminal offence, victims and third parties, such as witnesses, persons possessing relevant information or contacts and associates of suspects and convicted criminals.

Or. de

Justification

Results from the deletion of Article 5.



(24) As far as possible personal data should be distinguished according to the degree of their accuracy and reliability. Facts should be distinguished from personal assessments, in order to ensure both the protection of individuals and the quality and reliability of the information processed by the competent authorities.

deleted

Or. de

Justification




(26) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights or privacy, including genetic data, deserve specific protection. Such data should not be processed, unless

(26) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights or privacy deserve specific protection. Such data should not be processed, unless processing is specifically

PA\921963EN.doc 9/74 PE502.007v01-00

EN

processing is specifically authorised by a law which provides for suitable measures to safeguard the data subject's legitimate interests; or processing is necessary to protect the vital interests of the data subject or of another person; or the processing relates to data which are manifestly made public by the data subject.

authorised by a law which provides for suitable measures to safeguard the data subject's legitimate interests; or processing is necessary to protect the vital interests of the data subject or of another person; or the processing relates to data which are manifestly made public by the data subject.

Or. de



(30) The principle of fair processing requires that the data subjects should be informed in particular of the existence of the processing operation and its purposes, how long the data will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.

deleted

Or. de

Justification

Results from the amendment to Article 11.



(39) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers

deleted

PE502.007v01-00 10/74 PA\921963EN.doc

EN

and processors requires a clear attribution of the responsibilities under this Directive, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.

Or. de

Justification




(43) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of the breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of misuse. Moreover, such rules and procedures should take into account the legitimate interests of competent authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach.

deleted

Or. de

Justification

Results from the deletion of Articles 28 and 29.


PA\921963EN.doc 11/74 PE502.007v01-00

EN


(45) Member States should ensure that a transfer to a third country only takes place if it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the controller in the third country or international organisation is an authority competent within the meaning of this Directive. A transfer may take place in cases where the Commission has decided that the third country or international organisation in question ensures an adequate level or protection, or when appropriate safeguards have been adduced.

(45) Member States should ensure that a transfer to a third country only takes place if it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the controller in the third country or international organisation is an authority competent within the meaning of this Directive.

Or. de



(55) While this Directive applies also to the activities of national courts, the competence of the supervisory authorities should not cover the processing of personal data when they are acting in their judicial capacity, in order to safeguard the independence of judges in the performance of their judicial tasks. However, this exemption should be limited to genuine judicial activities in court cases and not apply to other activities where judges might be involved in accordance with national law.

(55) While this Directive applies also to the activities of national courts, the competence of the supervisory authorities should not cover the processing of personal data when they are acting in their judicial capacity, in order to safeguard the independence of judges in the performance of their judicial tasks.

Or. de


PE502.007v01-00 12/74 PA\921963EN.doc

EN


(56) In order to ensure consistent monitoring and enforcement of this Directive throughout the Union, the supervisory authorities should have the same duties and effective powers in each Member State, including powers of investigation, legally binding intervention, decisions and sanctions, particularly in cases of complaints from individuals, and to engage in legal proceedings.

deleted

Or. de



(57) Each supervisory authority should hear complaints lodged by any data subject and should investigate the matter. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject.

(57) Each supervisory authority should hear complaints lodged by any data subject and should investigate the matter. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject.

Or. de

Justification

Results from the deletion of the right to lodge a complaint for associations and DPAs in Article 50.

PA\921963EN.doc 13/74 PE502.007v01-00

EN



(61) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and is constituted according to the law of a Member State should have the right to lodge a complaint or exercise the right to a judicial remedy on behalf of data subjects if duly mandated by them, or to lodge, independently of a data subject's complaint, its own complaint where it considers that a personal data breach has occurred.

deleted

Or. de

Justification

Results from the deletion of the right to lodge a complaint for associations and DPAs in Article 50.



(66) In order to fulfil the objectives of this Directive, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free exchange of personal data by competent authorities within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of notifications of a personal data breach to

deleted

PE502.007v01-00 14/74 PA\921963EN.doc

EN

the supervisory authority. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.

Or. de



(67) In order to ensure uniform conditions for the implementation of this Directive as regards documentation by controllers and processors, security of processing, notably in relation to encryption standards, notification of a personal data breach to the supervisory authority, and the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers.

deleted

Or. de


PA\921963EN.doc 15/74 PE502.007v01-00

EN


(68) The examination procedure should be used for the adoption of measures as regards documentation by controllers and processors, security of processing, notification of a personal data breach to the supervisory authority, and the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation, given that those acts are of general scope.

(68) The examination procedure should be used for the adoption of measures as regards documentation by controllers and processors, security of processing and the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation, given that those acts are of general scope.

Or. de



(70) Since the objectives of this Directive, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free exchange of personal data by competent authorities within the Union, cannot be sufficiently achieved by the Member States and can therefore, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective

deleted

Or. de

PE502.007v01-00 16/74 PA\921963EN.doc

EN



(72) Specific provisions with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in acts of the Union which were adopted prior to the date of the adoption of this Directive, regulating the processing of personal data between Member States or the access of designated authorities of Member States to information systems established pursuant to the Treaties, should remain unaffected. The Commission should evaluate the situation with regard to the relation between this Directive and the acts adopted prior to the date of adoption of this Directive regulating the processing of personal data between Member States or the access of designated authorities of Member States to information systems established pursuant to the Treaties, in order to assess the need for alignment of these specific provisions with this Directive.

deleted

Or. de



(73) In order to ensure a comprehensive and coherent protection of personal data in the Union, international agreements concluded by Member States prior to the entry force of this Directive should be amended in line with this Directive.

deleted

PA\921963EN.doc 17/74 PE502.007v01-00

EN

Or. de

Amendment 22Proposal for a directiveArticle 1 – paragraph 1


1. This Directive lays down the rules relating to the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

1. This Directive lays down the rules relating to the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of risk prevention, the investigation, detection or prosecution of criminal offences and the execution of criminal penalties.

Or. de

Justification

There are problems in the area of risk prevention by the police in defining the scope of the Directive and Regulation. If the risk to be prevented is not punishable as a crime and the police are not therefore preventing a criminal offence in the sense of Article 1(1) of the proposal for a Directive, the Directive cannot be applied (e.g. missing persons files, suicides). The provisions of the General Data Protection Regulation are completely inappropriate for risk prevention.

Amendment 23Proposal for a directiveArticle 1 – paragraph 2 – introductory part


2. In accordance with this Directive, Member States shall:

2. The minimum requirements of this Directive shall be no impediment to Member States retaining or introducing provisions on the protection of personal data that ensure a higher level of protection.

Or. de

Justification

The aim of the Directive should be to create a pan-European minimum standard of protection

PE502.007v01-00 18/74 PA\921963EN.doc

EN

and not to replace existing national rules. Member States must therefore be explicitly allowed to adopt more stringent provisions.

Amendment 24Proposal for a directiveArticle 1 – paragraph 2 – point a


(a) protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data; and

deleted

Or. de

Amendment 25Proposal for a directiveArticle 1 – paragraph 2 – point b


(b) ensure that the exchange of personal data by competent authorities within the Union is neither restricted nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal data.

deleted

Or. de



2. This Directive applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Directive applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. The Directive shall not apply if the personal data are stored, or are intended to be stored, in paper files or sets of files.

PA\921963EN.doc 19/74 PE502.007v01-00

EN

Or. de



(b) by the Union institutions, bodies, offices and agencies.

deleted

Or. de

Justification

The EU institutions and authorities should also be covered by the scope of the Directive.

Amendment 28Proposal for a directiveArticle 3 – paragraph 1 – point 1


(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person working together with the controller, in particular by reference to an identification number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

Or. de



(4) 'restriction of processing' means the marking of stored personal data with the

(4) ) 'blocking' means the marking of stored personal data with the aim of

PE502.007v01-00 20/74 PA\921963EN.doc

EN

aim of limiting their processing in the future;

limiting their processing in the future;

Or. de

Amendment 30Proposal for a directiveArticle 3 – paragraph 1 – point 6 a (new)


(6a) ‘to make anonymous’ shall mean to modify personal data in such a way that information can no longer or only with disproportionate investment of time, cost and labour be attributed to an identified or identifiable individual;

Or. de



(7a) ‘European Union information systems’ shall mean only those information systems that have been established under Chapter 4 or 5 of Title V of Part Three of the Treaty on the Functioning of the European Union or under the Treaty establishing the European Community;

Or. de



(9a) 'the data subject's consent' shall mean any freely given specific, informed

PA\921963EN.doc 21/74 PE502.007v01-00

EN

and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed;

Or. de

Justification

This amendment tightens up the concept of the data subject’s consent. Even if in principle citizens and the State cannot be on equal footing, consent may serve as a justification in individual cases, for example with DNA mass tests.



(14) 'competent authorities’ means any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

(14) ) 'competent authorities’ means any public authority competent for risk prevention, the investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the European Union institutions, bodies, offices and agencies;

Or. de



(a) processed fairly and lawfully; (a) processed lawfully, fairly and in a transparent and verifiable manner;

Or. de

Justification

Brings Directive in line with the text of the Data Protection Regulation. For the purposes of

PE502.007v01-00 22/74 PA\921963EN.doc

EN

the package approach, the same principles concerning data processing should apply to both legal acts.

Amendment 35Proposal for a directiveArticle 4 – paragraph 1 – point c


(c) adequate, relevant, and not excessive in relation to the purposes for which they are processed;

(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed where anonymous processing is not sufficient for the respective purpose;

Or. de

Justification

Brings Directive in line with the text of the Data Protection Regulation. For the purposes of the package approach, the same principles concerning data processing should apply to both legal acts.

Amendment 36Proposal for a directiveArticle 4 – paragraph 1 – point e


(e) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed;

(e) kept in a form which permits identification of data subjects but for no longer than is necessary for the purposes for which the personal data are processed;

Or. de

Justification

Brings Directive in line with the text of the Data Protection Regulation. For the purposes of the package approach, the same principles concerning data processing should apply to both legal acts.

Amendment 37Proposal for a directiveArticle 4 – paragraph 1 – point f – introductory part

PA\921963EN.doc 23/74 PE502.007v01-00

EN


(f) processed under the responsibility and liability of the controller, who shall ensure compliance with the provisions adopted pursuant to this Directive.

(f) processed and used in the course of their duties only by competent staff working in competent authorities;

Or. de

Amendment 38Proposal for a directiveArticle 5


Article 5 deleted

Distinction between different categories of data subjects

1. Member States shall provide that, as far as possible, the controller makes a clear distinction between personal data of different categories of data subjects, such as:

(a) persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence;

(b) persons convicted of a criminal offence;

(c) victims of a criminal offence, or persons with regard to whom certain facts give reasons for believing that he or she could be the victim of a criminal offence;

(d) third parties to the criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, or a person who can provide information on criminal offences, or a contact or associate to one of the persons mentioned in (a) and (b); and

(e) persons who do not fall within any of the categories referred to above.

PE502.007v01-00 24/74 PA\921963EN.doc

EN

Or. de

Justification

The need for across-the-board obligations to distinguish between different categories of data subjects is not apparent, it is questionable whether they are practicable, and the associated red tape and expenditure is substantial. In the absence of a ruling on the legal consequences, it is uncertain what the legal consequences of making the distinction would be.

Amendment 39Proposal for a directiveArticle 6 – title


Different degrees of accuracy and reliability of personal data

Factual accuracy

Or. de



1. Member States shall ensure that, as far as possible, the different categories of personal data undergoing processing are distinguished in accordance with their degree of accuracy and reliability.

1. The competent authorities shall ensure that, as far as possible, personal data are factually accurate, complete and, if necessary, up to date.

Or. de



2. Member States shall ensure that, as far as possible, personal data based on facts are distinguished from personal data based on personal assessments.

2. The competent authorities shall ensure that personal data which are inaccurate, incomplete or no longer up to date are not transmitted or made available. To that end, the competent authorities shall, as far as practicable, verify the quality of

PA\921963EN.doc 25/74 PE502.007v01-00

EN

personal data before they are transmitted or made available. As far as possible, in all transmissions of data, available information shall be added which enables the receiving Member State to assess the degree of accuracy, completeness, up-to-dateness and reliability. If personal data were transmitted without request the receiving authority shall verify without delay whether these data are necessary for the purpose for which they were transmitted.

3. If it emerges that incorrect data have been transmitted or data have been unlawfully transmitted, the recipient must be notified without delay. The recipient shall be obliged to rectify the data without delay in accordance with paragraph 1 and Article 15 or to erase them in accordance with Article 16.

Or. de

Justification

The proposed text is based on Article 8 of Framework Decision 2008/977/JHA and bans the transmission of factually inaccurate data.



Article 7 deleted

Lawfulness of processing

Member States shall provide that the processing of personal data is lawful only if and to the extent that processing is necessary:

(a) for the performance of a task carried out by a competent authority, based on law for the purposes set out in Article 1(1); or

(b) for compliance with a legal obligation

PE502.007v01-00 26/74 PA\921963EN.doc

EN

to which the controller is subject; or

(c) in order to protect the vital interests of the data subject or of another person; or

(d) for the prevention of an immediate and serious threat to public security.

Or. de

Amendment 43Proposal for a directiveArticle 7 a (new)


Article 7(a)

Lawfulness of processing; purpose limitation

1. The processing of personal data is only lawful if carried out in accordance with the following principles.

2. Personal data may be collected by the responsible authorities as part of their work for specified, explicit and legitimate purposes. Legitimate purposes are served by data collection in particular if it is

(a) for the performance of a task carried out by a competent authority, based on law for the purposes set out in Article 1(1); or

(b) for compliance with a legal obligation to which the controller is subject; or

(c) in order to safeguard the data subject’s legitimate interests; or

(d) in order to safeguard the legitimate interests of another person, unless it is clearly in the legitimate interest of the data subject that the data processing does not take place;

(e) for the prevention of a threat to public security.

3. The processing of personal data must

PA\921963EN.doc 27/74 PE502.007v01-00

EN

fulfil the purpose for which they were collected. Further processing for another purpose shall be permitted in so far as it

(a) serves lawful purposes (paragraph 2);

(b) is necessary for this other purpose;

(c) is not incompatible with the purpose for which the data were collected.

4. Personal data may be further processed for historical, statistical or scientific purposes, by way of derogation from paragraph 3, if the Member States provide for appropriate safeguards such as rendering data anonymous.

Or. de

Justification

The amendment is based on Article 3 of Framework Decision 2008/977/JI and sets out purpose limitation in more detail. Paragraph 4 makes data processing for research purposes possible whilst also protecting the individual concerned. This kind of arrangement is lacking in the Commission’s draft directive. The introduction of data which has been rendered anonymous, as provided for in Article 3, also serves this purpose.

Amendment 44Proposal for a directiveArticle 7 b (new)


Article 7b

Special provisions for personal data from other Member States

Further to the general principles of data processing, the following arrangements shall be applicable to personal data transmitted or made available by the competent authorities of another Member State:

1. Personal data may be forwarded to private parties only if

(a) the competent authority of the Member State from which the data were obtained has consented to transmission in

PE502.007v01-00 28/74 PA\921963EN.doc

EN

compliance with its national law;

(b) no legitimate specific interests of the data subject prevent transmission; and

(c) transfer is essential in particular cases for the competent authority transmitting the data to a private party for:

(i) the performance of a task lawfully assigned to it;

(ii) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

(iii) the prevention of an immediate and serious threat to public security, or

(iv) the prevention of serious harm to the rights of individuals.

The competent authority transmitting the data to a private party shall inform the latter of the purposes for which the data may exclusively be used.

2. Personal data may be further processed under the provisions of Article 7(3) only for the following purposes other than those for which they were transmitted or made available:

(a) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties other than those for which they were transmitted or made available;

(b) other judicial and administrative proceedings directly related to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

(c) the prevention of an immediate and serious threat to public security; or

(d) any other purpose only with the prior consent of the transmitting Member State or with the consent of the data subject, given in accordance with national law.

This exemption shall be without prejudice to Article 7(4).

PA\921963EN.doc 29/74 PE502.007v01-00

EN

3. Where, under the law of the transmitting Member State, specific processing restrictions apply in specific circumstances to data exchanges between competent authorities within that Member State, the transmitting authority shall inform the recipient of such restrictions. The recipient shall ensure that these processing restrictions are met.

Or. de

Justification

The revision undertaken in this article adopts the rules of Article 13 of Framework Decision 2088/977/JI on the policy for data from other Member States and affords them special protection. Article 7a serves to protect the Member State in which data originate and thereby creates the necessary confidence for internal Union data exchange, according to which transmitted data will not be further processed by host states simply as they choose.

Amendment 45Proposal for a directiveArticle 7 c (new)


Article 7c

Establishment of time limits for erasure and review

Appropriate time limits shall be established for the erasure of personal data or for a periodic review of the need for the storage of the data. Procedural measures shall ensure that these time limits are observed.

Or. de

Justification

The addition is taken word-for-word from Article 5 of Framework Decision 2008/977/JI.


PE502.007v01-00 30/74 PA\921963EN.doc

EN


1. Member States shall prohibit the processing of personal data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, of genetic data or of data concerning health or sex life.

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and of data concerning health or sex life shall be permitted only if

Or. de

Justification

This Article has been reworded along the lines of Article 6 of Framework Decision 2008/977/JI. Even if it deviates from the prohibition rule of the draft directive, the processing of sensitive data remains permissible only under stringent conditions. In view of the significance of DNA evidence trails, the prohibition of the processing of genetic data introduced by the Commission has been deleted.



(a) the processing is authorised by a law providing appropriate safeguards;

(a) the processing is absolutely necessary and authorised by a law providing appropriate safeguards; or

Or. de



(b) the processing is necessary to protect the vital interests of the data subject or of another person;

does not affect the English version

Or. de

PA\921963EN.doc 31/74 PE502.007v01-00

EN



(c) the processing relates to data which are manifestly made public by the data subject.

does not affect the English version

Or. de



1. Member States shall provide that measures which produce an adverse legal effect for the data subject or significantly affect them and which are based solely on automated processing of personal data intended to evaluate certain personal aspects relating to the data subject shall be prohibited unless authorised by a law which also lays down measures to safeguard the data subject’s legitimate interests.

1. Measures which produce an adverse legal effect for the data subject or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to the data subject shall be permitted only if authorised by a law which also lays down measures to safeguard the data subject’s legitimate interests.

Or. de

Justification

The revision undertaken in this article reverts to the wording of the Framework Decision (Article 7 of 2008/977/JI). Profiling remains permissible only under strict conditions, even when the prohibition rule is not adhered to.



2. Automated processing of personal data intended to evaluate certain personal aspects relating to the data subject shall

deleted

PE502.007v01-00 32/74 PA\921963EN.doc

EN

not be based solely on special categories of personal data referred to in Article 8.

Or. de

Justification

Paragraph 2 gives rise to particularly extensive profiling and could easily be avoided.



1. Member States shall provide that the controller takes all reasonable steps to have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of the data subjects' rights.

1. Member States shall provide that the controller takes appropriate and reasonable steps to have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of the data subjects' rights.

Or. de



2. Member States shall provide that any information and any communication relating to the processing of personal data are to be provided by the controller to the data subject in an intelligible form, using clear and plain language.

2. Member States shall provide that any information and any communication relating to the processing of personal data are to be provided by the controller to the data subject in as intelligible a form as possible, using clear and plain language.

Or. de


PA\921963EN.doc 33/74 PE502.007v01-00

EN


4. Member States shall provide that the controller informs the data subject about the follow-up given to their request without undue delay.

deleted

Or. de



Information to the data subject deleted

1. Where personal data relating to a data subject are collected, Member States shall ensure that the controller takes all appropriate measures to provide the data subject with at least the following information:

(a) the identity and the contact details of the controller and of the data protection officer;

(b) the purposes of the processing for which the personal data are intended;

(c) the period for which the personal data will be stored;

(d) the existence of the right to request from the controller access to and rectification, erasure or restriction of processing of the personal data concerning the data subject;

(e) the right to lodge a complaint to the supervisory authority referred to in Article 39 and its contact details;

(f) the recipients or categories of recipients of the personal data, including in third countries or international organisations;

(g) any further information in so far as such further information is necessary to

PE502.007v01-00 34/74 PA\921963EN.doc

EN

guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are processed.

2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.

3. The controller shall provide the information referred to in paragraph 1:

(a) at the time when the personal data are obtained from the data subject, or

(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection having regard to the specific circumstances in which the data are processed.

4. Member States may adopt legislative measures delaying, restricting or omitting the provision of the information to the data subject to the extent that, and as long as, such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned:

(a) to avoid obstructing official or legal inquiries, investigations or procedures;

(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties;

(c) to protect public security;

(d) to protect national security;

(e) to protect the rights and freedoms of others.

5. Member States may determine categories of data processing which may

PA\921963EN.doc 35/74 PE502.007v01-00

EN

wholly or partly fall under the exemptions of paragraph 4.

Or. de



Article 11a

Provision of information to the data subject

1. Member States shall ensure that the data subject is informed regarding the collection or processing of personal data by the controller, in accordance with national law.

2. When personal data have been transmitted or made available between Member States, each Member State may, in accordance with the provisions of its national law referred to in paragraph 1, ask that the other Member State does not inform the data subject. In such cases the latter Member State shall not inform the data subject without the prior consent of the other Member State.

Or. de

Justification

This restricts only the right to information with no enquiry as to the time of data collection, referral instead being made to Member States’ rules. The right of individuals to information set out in Article 12 remains unaffected.



1. Member States may adopt legislative 1. Member States may adopt legislative

PE502.007v01-00 36/74 PA\921963EN.doc

EN

measures restricting, wholly or partly, the data subject's right of access to the extent that such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned:

measures restricting, wholly or partly, depending on the individual case, the data subject's right of access to the extent that such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned:

Or. de

Justification

The important right of access should always be considered on a case-by-case basis.



(b) to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or the execution of criminal penalties;

(b) to avoid prejudicing the prevention of risks, the detection, investigation and prosecution of criminal offences or the execution of criminal penalties;

Or. de



(e) to protect the rights and freedoms of others.

(e) to protect the data subject or the rights and freedoms of others.

Or. de


PA\921963EN.doc 37/74 PE502.007v01-00

EN


2. Member States may determine by law categories of data processing which may wholly or partly fall under the exemptions of paragraph 1.

deleted

Or. de

Justification

Refusal of access must always be considered on a case-by-case basis.



1. Member States shall provide for the right of the data subject to request, in particular in cases referred to in Article 13, that the supervisory authority checks the lawfulness of the processing.

1. Member States shall provide for the right of the data subject to request, within the bounds of what is set out in Articles 12 and 13, that the supervisory authority checks the lawfulness of the processing.

Or. de



2. Member State shall provide that the controller informs the data subject of the right to request the intervention of the supervisory authority pursuant to paragraph 1.

2. Member State shall provide that the controller informs the data subject, at the request of the latter, of the right to request the intervention of the supervisory authority pursuant to paragraph 1.

Or. de


PE502.007v01-00 38/74 PA\921963EN.doc

EN


1. Member States shall provide for the right of the data subject to obtain from the controller the rectification of personal data relating to them which are inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, in particular by way of a corrective statement.

1. Member States shall provide for the right of the data subject to obtain the rectification of personal data relating to them which are inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, in particular by way of a corrective statement.

Or. de



2. Member States shall provide that the controller informs the data subject in writing on any refusal of rectification, on the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

2. Member States shall lay down whether the data subject may assert these rights directly against the controller or through the intermediary of the competent national supervisory authority.

3. If the data subject asserts their rights against the controller and the latter refuses the rectification or completion, the controller must inform the data subject in writing on the refusal of rectification, on the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy

Or. de

Justification

The Member States should be left to make these arrangements themselves.


PA\921963EN.doc 39/74 PE502.007v01-00

EN


1. Member States shall provide for the right of the data subject to obtain from the controller the erasure of personal data relating to them where the processing does not comply with the provisions adopted pursuant to Articles 4 (a) to (e), 7 and 8 of this Directive.

1. Member States shall provide for the right of the data subject to obtain from the controller the erasure of personal data relating to them where the processing does not comply with the provisions adopted pursuant to Articles 4, 6, 7 and 8 of this Directive.

Or. de

Justification

The amendment broadens the scope and strengthens individual rights.



2. The controller shall carry out the erasure without delay.

2. Member States shall lay down whether the data subject may assert this right directly against the controller or through the intermediary of the competent national supervisory authority.

2a. If the data subject asserts their rights against the controller and the latter refuses the rectification or completion, the controller must inform the data subject in writing on the refusal of rectification, on the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

Or. de


PE502.007v01-00 40/74 PA\921963EN.doc

EN


3. Instead of erasure, the controller shall mark the personal data where:

3. If the provisions of this Directive state that personal data should be erased,, blocking shall be sufficient where:

Or. de

Amendment 68Proposal for a directiveArticle 16 – paragraph 3 a (new)


3a. Blocked data may be used only for the purpose for which erasure was not carried out. They may also be used if they are essential to discharge the burden of proof.

Or. de

Justification

The amendment makes clear the legal consequences which blocking should give rise to.



(c) the data subject opposes their erasure and requests the restriction of their use instead.

(c) erasure would affect the data subject’s legitimate interests or the data subject opposes their erasure and requests the restriction of their use instead.

Or. de

Amendment 70Proposal for a directiveArticle 16 – paragraph 3 – point c a (new)

PA\921963EN.doc 41/74 PE502.007v01-00

EN


(ca) obligations to document or keep data laid down by law are a barrier to erasure; in this case the data shall be handled in accordance with the obligations to document or keep data laid down by law;

(b) they are stored only for the purpose of data conservation or data protection controls;

(c) erasure is possible only by means of a disproportionate technical effort, for example as a result of a special storage method.

Or. de



4. Member States shall provide that the controller informs the data subject in writing of any refusal of erasure or marking of the processing, the reasons for the refusal and the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

deleted

Or. de



Member States may provide that the rights of information, access, rectification, erasure and restriction of processing referred to in Articles 11 to 16 are carried out in accordance with national rules on

Member States may provide that the information, access, rectification, erasure and blocking provided for in Articles 11 to 16 are in harmony with national procedural law where the personal data are

PE502.007v01-00 42/74 PA\921963EN.doc

EN

judicial proceedings where the personal data are contained in a judicial decision or record processed in the course of criminal investigations and proceedings.

contained in a judicial decision or record which is bound to the taking of a court decision.

Or. de

Justification

The article should have broader application to cover all courts and should apply not only to criminal proceedings.



3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraph 1 of this Article. If proportionate, this verification shall be carried out by independent internal or external auditors.

deleted

Or. de

Justification

Article 18(3) has been deleted and not replaced, as there would otherwise be a danger of excessive verification. Data protection officers and supervisory authorities should be sufficient in terms of guaranteeing data protection; additional external or internal assessors are not desirable and would merely cause confusion.



Article 20 deleted

Joint controllers

Member States shall provide that where a controller determines the purposes, conditions and means of the processing of

PA\921963EN.doc 43/74 PE502.007v01-00

EN

personal data jointly with others, the joint controllers must determine the respective responsibilities for compliance with the provisions adopted pursuant to this Directive, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.

Or. de

Justification

Article 20 lowers the data protection standard and was therefore deleted without being replaced. It should be left to joint controllers to decide whether to make an arrangement internally for a division of responsibilities. Externally there should be joint liability between both parties, to the benefit of the data subject.



1. Member States shall provide that where a processing operation is carried out on behalf of a controller, the controller must choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of the provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject.

1. Member States shall provide that where a processing operation is carried out on behalf of a controller, the controller must choose a processor providing sufficient guarantees

(a) to implement the technical and organisational measures set out in Article 27(1);

(b) that the processing will also meet the requirements of the provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject; and

(b) that the data subject will follow the

PE502.007v01-00 44/74 PA\921963EN.doc

EN

instructions of the controller.

Or. de

Justification

The revision of this article follows Framework Decision 2008/977/JI, which should not be changed.



2. Member States shall provide that the carrying out of processing by a processor must be governed by a legal act binding the processor to the controller and stipulating in particular that the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited.

2. The carrying out of processing by a processor must be governed by a legal act or a written agreement stipulating that the processor shall act only on instructions from the controller.

Or. de

Justification

The revision of this article follows Framework Decision 2008/977/JI, which should not be changed.



3. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 20.

3. If a processor processes personal data without or in contravention of an instruction from the controller and in the absence of an appropriate legal obligation, the processor shall be liable for the processing as if he or she were a controller.

PA\921963EN.doc 45/74 PE502.007v01-00

EN

Or. de

Justification

Follows from the deletion of Article 20.



Member States shall provide that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, may only process them on instructions from the controller or where required by Union or Member State law.

Member States shall provide that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, may only process them on instructions from the controller or where there is a legal obligation to do so.

Or. de



Article 23 deleted

Documentation

1. Member States shall provide that each controller and processor maintains documentation of all processing systems and procedures under their responsibility.

2. The documentation shall contain at least the following information:

(a) the name and contact details of the controller, or any joint controller or processor;

(b) the purposes of the processing;

(c) the recipients or categories of recipients of the personal data;

(d) transfers of data to a third country or an international organisation, including

PE502.007v01-00 46/74 PA\921963EN.doc

EN

the identification of that third country or international organisation.

3. The controller and the processor shall make the documentation available, on request, to the supervisory authority.

Or. de



1. Member States shall provide that each controller and processor maintains documentation of all processing systems and procedures under their responsibility.

1. All transmissions of personal data are to be logged or documented for the purposes of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security.

2. The logs and documents so produced must be made available to the supervisory authority upon request. The supervisory authority shall use this information only for the purpose of checking the lawfulness of the data processing and ensuring proper data integrity and security.

Or. de

Justification

Based on Article 10 of Framework Decision 2008/977/JI.



Article 24 deleted

Keeping of records

1. Member States shall ensure that records are kept of at least the following

PA\921963EN.doc 47/74 PE502.007v01-00

EN

processing operations: collection, alteration, consultation, disclosure, combination or erasure. The records of consultation and disclosure shall show in particular the purpose, date and time of such operations and as far as possible the identification of the person who consulted or disclosed personal data.

2. The records shall be used solely for the purposes of verification of the lawfulness of the data processing, self-monitoring and for ensuring data integrity and data security.

Or. de



1. Member States shall provide that the controller and the processor shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing all information necessary for the supervisory authority to perform its duties.

1. The controller and the processor shall work, on request, with the supervisory authority in the performance of its duties, on the basis of section 2 of Chapter VI of this Directive.

Or. de



2. In response to the supervisory authority's exercise of its powers under points (a)and (b) of Article 46, the controller and the processor shall reply to the supervisory authority within a reasonable period. The reply shall include a description of the measures taken and the results achieved, in response to the

deleted

PE502.007v01-00 48/74 PA\921963EN.doc

EN

remarks of the supervisory authority.

Or. de



1. Member States shall provide that the controller and the processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation.

1. Member States shall provide that the controller implements technical and organisational measures to prevent

(a) the unintentional or unlawful destruction,

(b) accidental loss,

(c) unauthorised alteration,

(d) unauthorised disclosure or access, in particular where the processing involves transmission over a network or making available by granting direct automated access, and

(e) all other unlawful forms of processing personal data.

Having regard to the state of the art and the cost of their implementation, these measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

Or. de

Justification

The revision of this article follows Article 22(1) of the Framework Decision.

PA\921963EN.doc 49/74 PE502.007v01-00

EN



2. In respect of automated data processing, each Member State shall provide that the controller or processor, following an evaluation of the risks, implements measures designed to:

2. In respect of automated data processing, each Member State shall take suitable measures to:

Or. de

Amendment 86Proposal for a directiveArticle 27 – paragraph 2 – point j


(j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (integrity).

Does not affect English version .

Or. de

Translator’s note

The German amendment would bring the text more closely into line with the wording of Article 22(2)(j) of Council Framework Decision 2008/977/JHA by replacing the word ‘beschädigt’ with the word ‘verfälscht’. The English version of this part of the present proposal is already in line with the wording of the Framework Decision.


PE502.007v01-00 50/74 PA\921963EN.doc

EN


3. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, notably encryption standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 57(2).

3. The Member States may adopt, where necessary, provisions for specifying the requirements laid down in paragraphs 1 and 2 to various situations, notably encryption standards.

Or. de



Article 28a

Prior consultation

Member States shall ensure that the competent national supervisory authorities are consulted prior to the processing of personal data which will form part of a new filing system to be created where:

(a) special categories of data under Article 8 are to be processed, or

(b) the type of processing, in particular using new technologies, mechanism or procedures, holds otherwise specific risks for the fundamental rights and freedoms, and in particular the privacy, of the data subject.

Or. de

Justification

The wording is taken from Article 13 of Framework Decision 2088/977/JI

PA\921963EN.doc 51/74 PE502.007v01-00

EN



5. The Commission shall be empowered to adopt delegated acts in accordance with Article 56 for the purpose of specifying further the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

deleted

Or. de

Justification

The criteria and requirements for establishing a data breach are already sufficiently specified in paragraph 1. The proposed delegation of legislative powers would in any event touch upon essential elements which can not be delegated, and they should be specified in the basic act. A corresponding change is also suggested in the General Data Protection Regulation.



Article 29 deleted

Communication of a personal data breach to the data subject

1. Member States shall provide that when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 28, communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and

PE502.007v01-00 52/74 PA\921963EN.doc

EN

the recommendations provided for in points (b) and (c) of Article 28(3).

3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the personal data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

4. The communication to the data subject may be delayed, restricted or omitted on the grounds referred to in Article 11(4).

Or. de

Amendment 91Proposal for a directiveArticle 31 – paragraph 4 – point 1 (new)


(1) The data protection officer shall not be penalised for performing his tasks. The data protection officer may not be dismissed while he is employed in that capacity or in the course of the next year thereafter unless facts emerge which provide sufficiently important grounds for the controller to dismiss him.

Or. de



(a) the transfer is necessary for the prevention, investigation, detection or

(a) the transfer is necessary for the prevention of risk, the investigation,

PA\921963EN.doc 53/74 PE502.007v01-00

EN

prosecution of criminal offences or the execution of criminal penalties;

detection or prosecution of criminal offences or the execution of criminal penalties; and

Or. de



(b) the conditions laid down in this Chapter are complied with by the controller and processor.

(b) the conditions laid down in this Chapter are complied with.

Or. de



2. Where no decision adopted in accordance with Article 41 of Regulation (EU) …./2012 exists, the Commission shall assess the adequacy of the level of protection, giving consideration to the following elements:

2. Where no decision adopted in accordance with Article 41 of Regulation (EU) …./2012 exists, the Commission shall assess the adequacy of the level of protection, giving consideration to all the circumstances generally surrounding data transfers or categories of data transfer which can be assessed without reference to specific transfer operations. The assessment shall give particular consideration to the following elements:

Or. de



3. The Commission may decide, within the 3. The Commission shall be empowered to

PE502.007v01-00 54/74 PA\921963EN.doc

EN

scope of this Directive, that a third country or a territory or a processing sector within that third country or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 57(2).

adopt delegated acts in accordance with Article 56 to supplement the list in Annex [x] of third countries, territories or processing sectors within third countries or international organisations which ensure an adequate level of protection within the meaning of paragraph 2. When determining the level of protection, the Commission must consider whether the relevant legislation, both general and sectoral, in force in the third country or international organisation, guarantees effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects whose personal data are being transferred.

Or. en

Justification

Because of the far-reaching nature of the determinations involved, they go beyond what is required for uniform conditions for implementation, and these non-essential elements must therefore be the subject of a delegation of legislative power in accordance with Article 290 TFEU. A corresponding change is also suggested in the General Data Protection Regulation.



4. The implementing act shall specify its geographical and sectoral application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.

4. According to Article 340(2) TFEU and settled case-law of the Court of Justice, the Union shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its institutions in the performance of their duties, including any damage due to wrongful use of personal data following an incorrect determination under paragraphs 2 and 3.

Or. en

PA\921963EN.doc 55/74 PE502.007v01-00

EN

Justification

The non-contractual liability of the Union in cases where incorrect determinations are made on the basis of the criteria in paragraphs 2 and 3 should furthermore be made explicit.



5. The Commission may decide, within the scope of this Directive, that a third country or a territory or a processing sector within that third country or an international organisation ensures an adequate level of protection within the meaning of paragraph 2, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 57(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 57(3).

deleted

Or. de



6. Member States shall ensure that where the Commission decides pursuant to paragraph 5, that any transfer of personal

deleted

PE502.007v01-00 56/74 PA\921963EN.doc

EN

data to the third country or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, this decision shall be without prejudice to transfers under Article 35(1) or in accordance with Article 36. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.

Or. de



8. The Commission shall monitor the application of the implementing acts referred to in paragraphs 3 and 5.

deleted

Or. de



Article 35 deleted

Transfers by way of appropriate safeguards

1. Where the Commission has taken no decision pursuant to Article 34, Member States shall provide that a transfer of personal data to a recipient in a third country or an international organisation may take place where:

(a) appropriate safeguards with respect to the protection of personal data have been

PA\921963EN.doc 57/74 PE502.007v01-00

EN

adduced in a legally binding instrument; or

(b) the controller or processor has assessed all the circumstances surrounding the transfer of personal data and concludes that appropriate safeguards exist with respect to the protection of personal data.

2. The decision for transfers under paragraph 1 (b) must be made by duly authorised staff. These transfers must be documented and the documentation must be made available to the supervisory authority on request.

Or. de



Article 35a

Transfers with appropriate safeguards

1. Where the Commission has taken no decision pursuant to Article 34, a transfer of personal data to a recipient in a third country or an international organisation may take place where:

(a) appropriate safeguards with respect to the protection of personal data have been adduced in a legally binding instrument;

(b) the controller or processor has assessed all the circumstances generally surrounding the transfer of personal data (Article 43(2)) and concludes that appropriate safeguards exist with respect to the protection of personal data, or

(c) a specific transfer of personal data may take place (Article 36) despite the Commission having concluded that an adequate level of data protection does not

PE502.007v01-00 58/74 PA\921963EN.doc

EN

exist.

Or. de

Amendment 102Proposal for a directiveArticle 35 b (new)


Article 35b

Transfer of personal data originating in other Member States

1. Member States shall provide that any transfer by competent authorities of personal data transmitted or provided by the responsible authorities of another Member State, including further onward transfer to a third country or international organisation, may take place only if:

(a) the recipient in the third country or the receiving international body is responsible for the prevention of risk or the investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

(b) the Member State from which the data were transferred has given its consent to transfer in compliance with its national law, and

(c) in cases covered by paragraph 3 of Article 34(a) and Article 35(b) and (c), the Member State from which the data were transferred also considers that, in compliance with its national law, appropriate safeguards exist in respect of the protection of the data transferred.

2. Onward transfer without prior consent in accordance with paragraph 1(b) shall be permitted only if transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third

PA\921963EN.doc 59/74 PE502.007v01-00

EN

State or to essential interests of a Member State and the prior consent cannot be obtained in good time. The authority responsible for giving consent shall be informed without delay.

3. By way of derogation from point (c) of paragraph 1, onward transfer of personal data may take place if the national law of the Member State transferring the data so provides on the grounds of:

(a) the compelling and legitimate interests of the data subject; or

(b) compelling and legitimate interests, in particular important public interests.

4. Personal data may be forwarded to private parties only under the conditions set out in paragraph 1 of Article 7(a)

Or. de

Justification

Article 35b corresponds to Article 13 of Framework Decision 2088/977/JI; it introduces special rules on the handling of data from other Member States and affords them special protection. This provision serves to protect the Member State in which data originate and thereby creates the necessary confidence for internal Union data on the basis that transmitted data will not be further processed by host states as they choose.



Article 36a

Derogations in the case of specific data transfers after weighing the competing

interests involved

1. 1. Where the Commission concludes pursuant to Article 34(5) that an adequate level of protection does not exist, personal data may not be transferred to the third country or a territory or a processing sector within that third country, or the international organisation in question, if,

PE502.007v01-00 60/74 PA\921963EN.doc

EN

in the case in question, the legitimate interests of the data subject in preventing any such transfer outweigh the public interest in transferring such data .

2. The adequacy of the level of protection in place in the case in question shall be one of the factors taken into account when the merits of the competing interests involved are compared. The assessment of the adequacy of the level of protection in the case in question shall give particular consideration to the circumstances surrounding the proposed data transfer, including in particular:

(a) the nature of the data that are to be transferred,

(b) the purpose(s) served by transferring it, and

(c) the duration of the proposed processing operation in the third country.

By way of derogation from Articles 1 and 35, Member States may provide that a transfer of personal data to a third country or an international organisation may take place only on condition that:

(a) the transfer is necessary to safeguard the vital and legitimate interests of the data subject or of another person, particularly in terms of their physical safety and well-being;

(b) the transfer is necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides; or

(c) the transfer is necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or

(e) the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or

PA\921963EN.doc 61/74 PE502.007v01-00

EN

prosecution of a specific criminal offence or the execution of a specific criminal penalty.

4. In individual cases an adequate standard of protection may exist if the third country or a territory, a processing sector or an interstate or supranational body within that third country, or the international organisation, guarantees that the transferred data will receive an adequate level of protection.

Or. de

Justification

The rewording of Article 36 follows the logic of Articles 34 and 35. In strictly limited individual cases it must be possible for data to be transferred – subject to very strict conditions – to third countries whose data protection standards are judged to be inadequate in order to safeguard interests of paramount importance, such as life and limb.



By way of derogation from Articles 34 and 35, Member States shall provide that a transfer of personal data to a third country or an international organisation may take place only on condition that:

deleted

(a) the transfer is necessary in order to protect the vital interests of the data subject or another person;

(b) the transfer is necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides; or

(c) the transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third country; or

(d) the transfer is necessary in individual

PE502.007v01-00 62/74 PA\921963EN.doc

EN

cases for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or

(e) the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal penalty.

Or. de



Member States shall provide that the controller informs the recipient of the personal data of any processing restrictions and takes all reasonable steps to ensure that these restrictions are met.

Member States shall provide that the controller informs the recipient of the personal data of any processing restrictions and takes all reasonable steps to ensure that these restrictions are met. The first sentence shall also apply to any processing restrictions with which the controller must comply pursuant to paragraph 3 of Article 7(a).

Or. de

Justification

When data is transferred within the EU, any processing restrictions in place at national level must also apply when the data is transferred to a third country; otherwise, there would be insufficient confidence in the system to enable EU to be transferred within the EU.



2. For the purposes of paragraph 1, the Commission shall take appropriate steps to

2. For the purposes of paragraph 1, the Commission shall take appropriate steps,

PA\921963EN.doc 63/74 PE502.007v01-00

EN

advance the relationship with third countries or with international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 34(3).

within the scope of application of this Directive, to advance the relationship with third countries or with international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 34(3). In so doing the Commission shall have due regard to the competences of the Member States and the legal or practical measures taken in connection with the exercise of those competences.

Or. de



5. Where the term of office expires or the member resigns, the member shall continue to exercise their duties until a new member is appointed.

5. Where the term of office expires or the member resigns, the member shall, if so requested, continue to exercise their duties until a new member is appointed.

Or. de

Justification

If a member were dismissed on the grounds of serious misconduct it might be inappropriate for him or her to remain in post until a successor was appointed. The member should only remain in post if so requested, therefore.



1. Member States shall provide that each supervisory authority exercises, on the territory of its own Member State, the powers conferred on it in accordance with this Directive.

1. Member States shall provide that each supervisory authority exercises, on the territory of its own Member State, at least the powers conferred on it in accordance with this Directive.

PE502.007v01-00 64/74 PA\921963EN.doc

EN

Or. de



(a) monitors and ensures the application of the provisions adopted pursuant to this Directive and its implementing measures;

(a) monitors and ensures the application of, at least, the provisions adopted pursuant to this Directive and its implementing measures;

Or. de



(b) hears complaints lodged by any data subject, or by an association representing and duly mandated by that data subject in accordance with Article 50, investigates, to the extent appropriate, the matter and informs the data subject the association of the progress and the outcome of the complaint within a reasonable period, in particular where further investigation or coordination with another supervisory authority is necessary;

(b) hears complaints lodged by any data subject, investigates, to the extent appropriate, the matter and informs the data subject of the progress and the outcome of the complaint within a reasonable period, in particular where further investigation or coordination with another supervisory authority is necessary;

Or. de

Justification

Amendment required in consequence of the deletion of the right of associations to lodge complaints (Article 50).


PA\921963EN.doc 65/74 PE502.007v01-00

EN


(e) conducts investigations either on its own initiative or on the basis of a complaint, or on request of another supervisory authority, and informs the data subject concerned, if the data subject has addressed a complaint, of the outcome of the investigations within a reasonable period;

(e) conducts investigations on the basis of a complaint, or on request of another supervisory authority, and informs the data subject concerned, if the data subject has addressed a complaint, of the outcome of the investigations within a reasonable period; the supervisory authority may also conduct such investigations on its own initiative, within the limits of national legislation;

Or. de

Amendment 112Proposal for a directiveArticle 45 – paragraph 1 – point g


(g) is consulted by Member State institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data;

(g) may be consulted by Member State institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data;

Or. de



2. Each supervisory authority shall promote the awareness of the public on risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention.

2. Each supervisory authority shall promote, within the limits of the tasks and powers conferred on it and the constraints of national law, the awareness of the public on risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention.

PE502.007v01-00 66/74 PA\921963EN.doc

EN

Or. de



(c) the power to engage in legal proceedings where the provisions adopted pursuant to this Directive have been infringed or to bring this infringement to the attention of the judicial authorities.

(c) the power to engage in legal proceedings where the provisions adopted pursuant to this Directive have been infringed or to bring this infringement to the attention of the judicial authorities. Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts

Or. de

Justification

The inclusion of a guaranteed right to appeal through the courts is clearly necessary; the wording is taken directly from Article 25(2)(c) of Framework Decision 2008/977/JI.



Member States shall provide that each supervisory authority draws up an annual report on its activities. The report shall be made available to the Commission and the European Data Protection Board.

Member States shall provide that each supervisory authority draws up a report on its activities at regular intervals of not more than three years.

Or. de


PA\921963EN.doc 67/74 PE502.007v01-00

EN


2. Member States shall provide for the right of any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and is being properly constituted according to the law of a Member State to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects, if it considers that a data subject’s rights under this Directive have been infringed as a result of the processing of personal data. The organisation or association must be duly mandated by the data subject(s).

deleted

Or. de

Justification

Amendment to this Article provides for the complete deletion of the right to initiate class actions, as there is no rational requirement for such a right under data protection law. Police measures always relate to infringements of an individual’s rights.



3. Member States shall provide for the right of any body, organisation or association referred to in paragraph 2, independently of a data subject's complaint, to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.

deleted

Or. de

PE502.007v01-00 68/74 PA\921963EN.doc

EN



Without prejudice to any available administrative remedy, including the right to lodge a complaint with a supervisory authority, Member States shall provide for the right of every natural person to a judicial remedy if they consider that that their rights laid down in provisions adopted pursuant to this Directive have been infringed as a result of the processing of their personal data in non-compliance with these provisions.

Without prejudice to any available administrative remedy, including the right to lodge a complaint with a supervisory authority, Member States shall provide for the right of every natural person to a judicial remedy if their rights laid down in provisions adopted pursuant to this Directive have been infringed as a result of the processing of their personal data in non-compliance with these provisions.

Or. de



1. Member States shall provide for the right of any body, organisation or association referred to in Article 50(2) to exercise the rights referred to in Articles 51 and 52 on behalf of one or more data subjects.

deleted

Or. de

Justification

Follows on from the deletion of the right to initiate class actions in Article 50.



2. Each supervisory authority shall have deleted

PA\921963EN.doc 69/74 PE502.007v01-00

EN

the right to engage in legal proceedings and bring an action to court, in order to enforce the provisions adopted pursuant to this Directive or to ensure consistency of the protection of personal data within the Union.

Or. de

Justification

Proceedings should always relate to an individual case.

Amendment 121Proposal for a directiveArticle 54 – paragraph 1 a (new)


1 a. Where a competent authority of a Member State has transmitted personal data, the recipient cannot, in the context of its liability vis-à-vis the injured party in accordance with national law, cite in its defence that the data transmitted were inaccurate. If the recipient pays compensation for damage caused by the use of incorrectly transmitted data, the transmitting competent authority shall refund to the recipient the amount paid in damages, taking into account any fault that may lie with the recipient.

Or. de

Justification

Cf. Article 19(1) and (2) of Framework Decision 2008/977/JHA



Member States shall lay down the rules on penalties, applicable to infringements of

Member States shall adopt suitable measures to ensure the full

PE502.007v01-00 70/74 PA\921963EN.doc

EN

the provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive.

implementation of the provisions of this Framework Decision and shall in particular lay down the rules on penalties, applicable to infringements of the provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive.

Or. de

Justification

Cf. Article 24 of Framework Decision 2008/977/JHA.



2. The delegation of power referred to in Article 28(5) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Directive.

2. The delegation of power referred to in Article 34(3) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Directive.

Or. de

Justification

Consequential amendment because of the deletion of the delegation in Article 28(5) and the change from implementing to delegated acts in Article 34(3).



3. The delegation of power referred to in Article 28(5) may be revoked at any time by the European Parliament or by the

3. The delegation of power referred to in Article 34(3) may be revoked at any time by the European Parliament or by the

PA\921963EN.doc 71/74 PE502.007v01-00

EN

Council. A decision of revocation shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

Council. A decision of revocation shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

Or. de

Justification




5. A delegated act adopted pursuant to Article 28(5) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of 2 months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 2 months at the initiative of the European Parliament or the Council.

5. A delegated act adopted pursuant to Article 34(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of 2 months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by 2 months at the initiative of the European Parliament or the Council.

Or. de

Justification



PE502.007v01-00 72/74 PA\921963EN.doc

EN


2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

deleted

Or. de

Justification

Consequential amendment because of changes made to Article 34(5).



International agreements concluded by Member States prior to the entry force of this Directive shall be amended, where necessary, within five years after the entry into force of this Directive.

1. International agreements concluded by Member States prior to the entry force of this Directive shall be amended, where necessary, within ten years after the entry into force of this Directive except where they are in any case subject to separate controls.

2. Notwithstanding paragraph 1, the provisions of Article 36 shall apply by analogy, in the event of a negative adequacy decision, to international agreements concluded before the entry into force of this Directive..

Or. de

Justification

In view of the number and complexity of the existing international agreements, an adjustment period of five years seems inappropriately short. The Article 36 rules cannot apply only between the Member States but must also apply by analogy to existing international agreements.


PA\921963EN.doc 73/74 PE502.007v01-00

EN


2. The Commission shall review within three years after the entry into force of this Directive other acts adopted by the European Union which regulate the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, in particular those acts adopted by the Union referred to in Article 59, in order to assess the need to align them with this Directive and make, where appropriate, the necessary proposals to amend these acts to ensure a consistent approach on the protection of personal data within the scope of this Directive.

deleted

Or. de

Amendment 129Proposal for a directiveArticle 57 – Annex [x](new)


Annex [x]

List of third countries, territories or processing sectors within third countries

or international organisations which ensure an adequate level of protection

within the meaning of Article 34(2)

Or. en

Justification

Consequential amendment because of changes made to Article 34.

PE502.007v01-00 74/74 PA\921963EN.doc

EN

Documents

MEP Voss (EPP) Draft Opinion European Data Protection Directive for JURI